Is it possible to do an ML job that says
If event.code: 4264 and 4265 within 30 minutes ?
Its for SIEM, I would like a detection to go off if a single account is enabled / disabled within a short time .
I need the Over field
Yes, and in the SIEM v7.10 you can create a detection on an EQL query:
https://www.elastic.co/guide/en/security/7.10/rules-ui-create.html#create-eql-rule
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.